This question already has an answer here:
I'm using sha1 to encrypt it. Should I mysql_real_escape_string() as well, or is encrypting it enough?
</div>
Technically speaking, the output from sha1 will always be a hex-string, so you wouldn't need to escape it.
However: The answer to this question is always the same: escape the values. If it comes from a hard-coded variable 2 lines before your SQL, escape it. Always. Escape. Period. There are SO many other things to worry about optimizing.
Parameterized queries and PDO are always the best option, however
Second note: sha1 and md5 aren't the most secure for passwords. If you're not too far in, consider another solution such as blowfish